X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fs3_both.c;h=b26fbe36371648926f50cc891d507348ba5bbbc7;hb=65f0efe198fa6d4bf1b42bc42e80c2dcaa2813c9;hp=409120badecd960ac7b7dc0b3c0a933e1e197b2f;hpb=48948d53b6f61aa14bc5eab33f67f124c43175ff;p=openssl.git diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 409120bade..b26fbe3637 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -108,18 +108,23 @@ * Hudson (tjh@cryptsoft.com). * */ +/* ==================================================================== + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. + * ECC cipher suite support in OpenSSL originally developed by + * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. + */ #include #include #include +#include "ssl_locl.h" #include #include #include #include #include -#include "ssl_locl.h" -/* send s->init_buf in records of type 'type' */ +/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ int ssl3_do_write(SSL *s, int type) { int ret; @@ -133,7 +138,11 @@ int ssl3_do_write(SSL *s, int type) ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret); if (ret == s->init_num) + { + if (s->msg_callback) + s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg); return(1); + } s->init_off+=ret; s->init_num-=ret; return(0); @@ -264,16 +273,23 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) X509_STORE_CTX xs_ctx; X509_OBJECT obj; + int no_chain; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) + no_chain = 1; + else + no_chain = 0; + /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; - if (!BUF_MEM_grow(buf,(int)(10))) + if (!BUF_MEM_grow_clean(buf,10)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); } if (x != NULL) { - if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) + if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); @@ -282,7 +298,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) for (;;) { n=i2d_X509(x,NULL); - if (!BUF_MEM_grow(buf,(int)(n+l+3))) + if (!BUF_MEM_grow_clean(buf,(int)(n+l+3))) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); @@ -291,6 +307,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) l2n3(n,p); i2d_X509(x,&p); l+=n+3; + + if (no_chain) + break; + if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) break; @@ -302,8 +322,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) * ref count */ X509_free(x); } - - X509_STORE_CTX_cleanup(&xs_ctx); + if (!no_chain) + X509_STORE_CTX_cleanup(&xs_ctx); } /* Thawte special :-) */ @@ -312,7 +332,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) { x=sk_X509_value(s->ctx->extra_certs,i); n=i2d_X509(x,NULL); - if (!BUF_MEM_grow(buf,(int)(n+l+3))) + if (!BUF_MEM_grow_clean(buf,(int)(n+l+3))) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); @@ -357,7 +377,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) } *ok=1; s->init_msg = s->init_buf->data + 4; - return((int)s->s3->tmp.message_size); + s->init_num = (int)s->s3->tmp.message_size; + return s->init_num; } p=(unsigned char *)s->init_buf->data; @@ -392,8 +413,10 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) { s->init_num = 0; skip_message = 1; + + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, s->msg_callback_arg); } - } while (skip_message); @@ -432,7 +455,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE); goto f_err; } - if (l && !BUF_MEM_grow(s->init_buf,(int)l+4)) + if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4)) { SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB); goto err; @@ -460,6 +483,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n -= i; } ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); *ok=1; return s->init_num; f_err: @@ -472,7 +497,7 @@ err: int ssl_cert_type(X509 *x, EVP_PKEY *pkey) { EVP_PKEY *pk; - int ret= -1,i,j; + int ret= -1,i; if (pkey == NULL) pk=X509_get_pubkey(x); @@ -484,35 +509,17 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey) if (i == EVP_PKEY_RSA) { ret=SSL_PKEY_RSA_ENC; - if (x != NULL) - { - j=X509_get_ext_count(x); - /* check to see if this is a signing only certificate */ - /* EAY EAY EAY EAY */ - } } else if (i == EVP_PKEY_DSA) { ret=SSL_PKEY_DSA_SIGN; } - else if (i == EVP_PKEY_DH) +#ifndef OPENSSL_NO_EC + else if (i == EVP_PKEY_EC) { - /* if we just have a key, we needs to be guess */ - - if (x == NULL) - ret=SSL_PKEY_DH_DSA; - else - { - j=X509_get_signature_type(x); - if (j == EVP_PKEY_RSA) - ret=SSL_PKEY_DH_RSA; - else if (j== EVP_PKEY_DSA) - ret=SSL_PKEY_DH_DSA; - else ret= -1; - } + ret = SSL_PKEY_ECC; } - else - ret= -1; +#endif err: if(!pkey) EVP_PKEY_free(pk); @@ -539,6 +546,8 @@ int ssl_verify_alarm_type(long type) case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_CERT_UNTRUSTED: + case X509_V_ERR_CERT_REJECTED: al=SSL_AD_BAD_CERTIFICATE; break; case X509_V_ERR_CERT_SIGNATURE_FAILURE: @@ -560,11 +569,16 @@ int ssl_verify_alarm_type(long type) case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: case X509_V_ERR_CERT_CHAIN_TOO_LONG: + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + case X509_V_ERR_INVALID_CA: al=SSL_AD_UNKNOWN_CA; break; case X509_V_ERR_APPLICATION_VERIFICATION: al=SSL_AD_HANDSHAKE_FAILURE; break; + case X509_V_ERR_INVALID_PURPOSE: + al=SSL_AD_UNSUPPORTED_CERTIFICATE; + break; default: al=SSL_AD_CERTIFICATE_UNKNOWN; break; @@ -576,6 +590,7 @@ int ssl3_setup_buffers(SSL *s) { unsigned char *p; unsigned int extra; + size_t len; if (s->s3->rbuf.buf == NULL) { @@ -583,18 +598,21 @@ int ssl3_setup_buffers(SSL *s) extra=SSL3_RT_MAX_EXTRA; else extra=0; - if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE+extra)) - == NULL) + len = SSL3_RT_MAX_PACKET_SIZE + extra; + if ((p=OPENSSL_malloc(len)) == NULL) goto err; - s->s3->rbuf.buf=p; + s->s3->rbuf.buf = p; + s->s3->rbuf.len = len; } if (s->s3->wbuf.buf == NULL) { - if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE)) - == NULL) + len = SSL3_RT_MAX_PACKET_SIZE; + len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */ + if ((p=OPENSSL_malloc(len)) == NULL) goto err; - s->s3->wbuf.buf=p; + s->s3->wbuf.buf = p; + s->s3->wbuf.len = len; } s->packet= &(s->s3->rbuf.buf[0]); return(1);